How much does it cost to buy one thousand Russian/Eastern European based malware-infected hosts?

By Dancho Danchev

For years, many of the primary and market-share leading ‘malware-infected hosts as a service’ providers have become used to selling exclusive access to hosts from virtually the entire World, excluding the sale and actual infection of Russian and Eastern European based hosts. This sociocultural trend was then disrupted by the Carberp gang, which started targeting Russian and Eastern European users, demonstrating that greed knows no boundaries and which ultimately led Russian and Ukrainian law enforcement to the group.

What’s the probability that Russian/Eastern European cybercriminals will continue targeting their own fellow citizens in an attempt to monetize the access to their PCs in the most efficient and profitable way possible? Huge.

In this post, I’ll profile a recently launched ‘malware-infected hosts as a service’ type of underground market service proposition selling access to Eastern European based hosts, discuss the pricing scheme used, as well as emphasize on the long-term perspective of these services. All during a time where novice cybercriminals have access to sophisticated DIY (do it yourself) malware generating tools.

More details:

Sample screenshot of the underground market advertisement:

A thousand malware infected hosts in Ukraine goes for $149, a thousand malware-infected hosts in Russia goes for $150, a thousand malware-infected hosts in Kazakhstan goes for $100 and a thousand malware-infected hosts in Belarus goes for $100, and lastly, a thousand host “Mix” goes for $25. The service also allows the purchase of a hundred hosts for $3, but fellow cybercriminals will only get access to a panel to monitor the activity, allowing them to confirm the ‘legitimacy’ of the service proposition.

The cybercriminal behind the service accepts WebMoney, Bitcoin and Yandex Money.

Either as the result of active large-scale malicious spam campaigns or targeted malware attacks, the cybercriminal behind this service is taking advantage of a basic marker concept known as market segmentation, allowing fellow cybercriminals to directly abuse the access of PCs located in their country of choice.

Meanwhile, in a series of blog posts, we’ve been highlighting a trend that’s been an everyday reality over the last couple of years, namely the fact that U.S based malware-infected hosts continue commanding the highest price in ‘malware-infected hosts as a service’ underground markets. What the current Russia/Eastern Europe-centered service demonstrates is that, geographically dispersed infected locations continue having their prices shaped using perceived value/competition based pricing schemes.

As always, we’ll keep an eye on the future development of this service and post updates as soon as new features are introduced.

New to the Threat Blog? Consider catching up with the following previously profiled underground services: